OH3 with NGINX Reverse Proxy and Authentication

If I drop the word Secure from the haproxy line, it shows Secure=false in firefox.

There is something odd, as if I keep hammering the login box, there is nothing in the logs. I don’t know if that’s intentional to avoid DDOS, or is there some problem for the login dialog script in firefox getting back to openhab via haproxy.

Anyhow, if anyone has ideas why it behaves like this, please help.

the firefox console pukes this out while trying to login:

Initializing state tracking store proxy app.js:37:1835
Uncaught (in promise) undefined
Uncaught (in promise) undefined
Using passed credentials app.js:7:121713
Uncaught (in promise) undefined app.js:32:436561
    loadData https://o.mydomain.com/js/app.js:32
Uncaught (in promise) undefined
Uncaught (in promise) undefined

There is a graduated backoff time after a failed login. I don’t remember what the time is but I remember there being a discussion about how it could be a mechanism for a denial of service. I don’t know if that ever changed.

Beyond that I’m no expert in this stuff. It worked for me as described above and I don’t know HAProxy well enough to begin to diagnose this problem.

I’ll move the haproxy config discussion to it’s own topic, as this is not related to NGINX: OH3 behind haproxy. Let’s continue HAproxy topic there.

Hi,

I am trying to externalize my instance using Nginx. I have a few question because the more I read the more mixed up it gets…

First of all what is the best practice to externalize OH3?
Do I need to turn on / off the Api Security → Basic Auth setting?
If I am only using OH3 auth and do not use basic auth in Nginx, is there a way to disable Anonymous auth?

I followed the Nginx setup document and now I have basic auth enabled. Still without entering the basic auth creds the page loads:

I am also trying to use the iOS app. I know that currently it cannot render MainUI however I could still utilize Shortcuts and some other stuff so it would be good to be able to use it remotely. What do I need in order to be able to use the app? Because I set the username and password but it is not working. Which auth methods the app is compatible with?

Use myopenhab.org. Failing that using a self hosted version of the openHAB Cloud server. Only after failing that consider NGINX.

Don’t do that. openHAB auth only protects certain administration function. It does not protect the whole installation. As a result, anyone on the internet will be able to access your Pages and send commands to your Items without any authentication/authorization. You need to add additional auth/auth using NGINX. That’s sort of the point.

I can’t speak to the iOS app. In the android app you can set up basic auth credentials for the remote connection URL. I assume that the iOS app works the same. But that means you have to implement basic auth in your NGINX configuration.

As a general rule of thumb, if you have to ask these sorts of questions I strongly recommend against punching a hole through your firewall like this, even with a reverse proxy. You can get it to work but you most likely do not have the knowledge nor the skills to continuously monitor it and identify and mitigate the attacks on your server when they occur.

There is some evidence here on the forum that there are attack bots that are openHAB aware and will recognize your server and perform automated attacks.

It is more about that I read the document I checked the threads and it was simply not clear how to proceed. Especially because some of the infromation is still only mentioning OH2 and since it’s been 3 years I used OH I’m a bit disconnected.

Anyway I am not really worried about attacks and hosting my own solution I have Azure Front Door and WAF around my services. That said if the generic recommendation is to use it with myopenhab.org / self-hosted OH cloud server then I’ll probably go with one of those.

It would be still good to understand why the site is opening when I have the basic auth set. I would assume that the site should be only loading once the auth occurs. For the iOS app I read several threads all mixed information, so if anyone has up to date experience with it I would love some input.

Thanks!

As i said, openHAB’s auth only protects the administration parts of the REST API. It doesn’t protect the user portions (e.g. your Pages). It’s not a complete security protection mechanism. You would have to have basic auth configured in your NGINX reverse proxy to protect those with usename and password too. Of course then to get to the admin parts of the OH you’d have to authenticate twice, once with NGINX and again with openHAB.

As I said I have Nginx basic auth configured. My issue was that even that set some of the pages loaded (I was not able to perform any actions without typing the u/pw in).

I had time this morning to investigate further it seems that the problem was with my CDN caching the content. I turned it off and now it is properly asking for the auth without presenting any pages (cached content). So this part is solved…

…Still the iOS app is not working.

Is this still true? Because if it is then I would need to stick to client certs if I would keep the Nginx approach.

Probably better to continue here.

Hello,

Thank you all for the configuration tips !

I was wondering if there is a way to directly pass the username from the proxy to openhab ? as after all the user is already authenticated by the proxy !

Something like that (example with apache used as a proxy authenticating the user) that would make openhab understand that there is no need to authenticate furthermore but to proceed with the request for REMOTE_USER :

RequestHeader set X-Remote-User expr=%{REMOTE_USER}

It may (so I’d like to get the variable name) or may not be implemented (so I’d eventually request it) ?

Hello,
I haven’t been with openhab long. I have read the entire thread and the conclusion has been that oh it does not protect the rest api but only the administration part that an administrator sees. The other conclusion has been that if you want to protect the rest of the api by users, it should be done using NGINX. Any document where the process is clear? I found it a bit complex and lacking detail or guidance.

Thanks.

That’s not 100% correct I think. Disabling ‘implicit user roles’ will force authentication on everything UI.
You cannot have full roles i.e. distinguish between users (AFAIK) but that’s usually sufficient.

I think I have not understood very well, I have only been with openhab for a few weeks. So, it does not serve to protect the REST API accesses for example?

Thank you anyway.

openHAB REST processes are protected by openHAB 3-builtin user authentication.
But it’s not (controllable) authorization let alone granular or even real roles.
There’s essentially an admin area and a user area in OH UI. FYI, the UI is actually accessing OH through the REST API, too. By default, admin area is protected and user area is not (aforementioned ‘implicit user roles’ is on by default). Turning that off enforces authentication on the user area, too.
But you cannot redefine the areas and as said you cannot distinguish access between users.

1 Like